tv Online Voting CSPAN October 12, 2014 4:05am-6:01am EDT
statecraft initiative and international security, the partnership they have formed with mcafee. we undertook a separate in part because of the practical results-oriented approach of our cyber team led to our expert jason healey, but it also affects the atlantic council into nonpartisan work. this is a bipartisan issue with both sides aiming to create a cost-effective, efficient, secure, and trustworthy voting platform. it is also timely as we head into the home stretch of midterm elections next month and we face the beginnings of what is already unfolding at the presidential election two years out. as we enter the season, the council is intent on working hard to help us hit a broader public debate on the role of the united states and the world and a critical ingredient to this debate is the extent to which our own public engages in the discussion, especially through voting, so this report makes
clear that online voting and e-voting could become a larger part of the political process in the united states and in other participatory democracies if the security is in place, and i think that is the key element of a. we believe this is a nonpartisan issue and endeavor, so our focus today is to highlight the new era in digital democracy is possible if we can get the security questions right and create trustworthy platforms. online voting is among those transformative technologies like the smart grid and for what's we must get security right to fully a markets potential. we are delighted that during the course of our program we will use technology to welcome the discussion representative jim langevin, a ranking member of the house armed services
subcommittee on intelligence and emerging threats and capabilities, has become a national leader on the issue of securing our nation's infrastructure in cyber threats and cofounded the congressional cyber security caucus. one of his staff members as part of our next generation programming and is with us today. welcome. we are delighted to have your and for all of the work you are doing as well. i would like to welcome tom gann of mcafee. he began his career on capitol hill as a legislative director to congressman tom campbell at the time. for house cyber security can lay a powerful role and enhance the well-being, with that, i look forward to us getting into this report and exploring that both here in the conversation and online, so tom, i welcome you to the podium. [applause]
>> well, it is a pleasure to be here. i would like to thank the atlantic council for hosting the event of rain together such a distinguished panel. the atlantic council is one of the leading think tanks in the world, and jason healey's leadership has been truly impressive. he has indeed developed a very fine cyber security process that has made significant contribution to the debate here in washington. the atlantic council and mcafee is part of intel security has started a journey to change the nature of the cyber security debate.
our goal is to move the public discussion from one that all too often focuses on doom and gloom to one that focuses on the age of the possible. we believe that cyber security can play a powerful role in the betterment of people's lives. the right security can enable more opportunities for people to vote. the right security can enable secure access to online information and services. the right security can enable innovations in the area of transportation, indeed in the area of true innovations such as driverless cars. our session today about the promise of online voting starts the discussion on the art of the possible. we welcome the active engagement from stakeholders in government, the private sector, and academia. building a consensus on the
positive role that cyber security can play in improving the lives of people is a vital addition to the debate. this debate for too long has been dominated by doom and gloom, the threat landscape, and an over emphasis on regulation. and more positive perspective that understands the importance of innovation and promise is a necessary addition to the debate. a more positive approach will enable the policymaking process to be more balanced, to focus less on regulation and more on the true promise of security and the power of innovation to move markets and bring better and more secure products to the marketplace. moving forward, we are planning
to launch a follow on a study that will focus on the importance of security in the area of health care. we now turn to the discussion at hand, the matter of e-voting. >> good morning, and thank you, damon, and thank you, tom, for kicking us off. let me add my thanks to mcafee for making all of this possible and to those of you following online, please follow us at #acevote and joined the discussion on twitter. we will not get into a discussion on the biographies of people in front of you. you each have that. we will do just a quick
introduction. on my right, we have jordi from scytl, the company in which e-voting evolved and how they get involved in countries around the world to allow people to vote. to my right, pamela. pamela smith has been involved in electronic voting, as has joe hall on my left, and you can see in their biographies many different areas to try to get through what are the most possible things in the near term and which things will take longer. kent landfield from mcafee on my left, getting security to work so we can unlock the promise of the most innovative technologies.
i wanted to start with jordi, and your company has been in this field, you have been presented with these hard problems and have to get solutions around this. what are the technologies we are really looking at here, and how have you been able to deploy them into the field? >> thanks. first of all, i want to thank the atlantic council for allowing me to participate in this panel. in terms of the interaction of our company, our company has been applying to internet voting, and from the beginning, we know that the main problem of electronic voting is not the matter of standards of using it from security, so we use security, and we designed protocols to try to solve complex problems. one of the main problems is we
need to preserve privacy to voters not only for the -- during the voting process but also due to the encryption process, and this is in the neck and be used in electronic transactions. so we start to think about how to do this, we are using protocols for allowing this, for providing this, and then another thing we are doing and also providing -- it is not only a matter of providing privacy but a third point that is very important -- we are managing an election not only on internet voting by traditional election also is to allow people and allow third parties to provide that transparency. that it is more difficult to provide when we are moving in an electronic environment, so now we are also providing this. our technology also provides to the norwegian country, and also in switzerland, they also use it, and the verifiability is very important to online voting. in this case, they had changes on the standards to require electronic voting, especially online voting in switzerland, in which the user's the verifiability is important to allow voters to cast their vote. this is a specific case in switzerland. they started setting up up to 10% of the electoral vote. we are allowed to vote online.
they have pilots for allowing internet voters and they say they want to manage the risk of introducing internet voting in this country. currently they changed the law or they change the standard in case of the different countenance doing referendums, they want to increase the number of the population that can use internet voting in of these referendums, in case they want to increase the number of electoral, up to 50% of the full growth of the voters, they need to introduce verifiability.
one of the things we have seen that is pretty important for providing security or to manage the risk presence on internet voting is the verifiability to check that. at least everything is happening in a proper way. >> you mentioned two separate technologies. on one hand, we are talking but electronic voting, but you had
also mentioned internet voting. can you just walk us through and what do we mean by both of these? sometimes when we add an e in front of it we assume we're talking about internet, but i don't think you were, so can you qualify? >> e-voting means using electronic means were casting a vote, not only online but also in polling stations using the standalone machines. >> so like if i go in and it is a touchscreen, that might be considered e-voting, but it is not online voting. >> exactly. e-voting is focused on specific machines the internet voting is opening the door to voters because the voters come. you can vote at home. in this case, the voting turnout is they have voting device, so
the risks, the security risks are higher in these cases, and in the requirement for providing so forth against any context during the voting process or more important. >> and this is apparently where you have been spending a lot of your time, you and joe both. any thoughts on the things that jordi mentioned? >> first, thank you also for having us all here. i appreciate it. i agree strongly with the white that the report made about the
difficulties challenging solving the security privacy issues. with voting in a polling station or via a voting machine, there are a number of issues that may come up. for example, if the equipment should happen to break down, you need something else to vote on to replace it otherwise people are disenfranchised by that malfunction, so typically the backup is a paper ballot. if your standard voting system in a polling place is a paper ballot counted by an electronic machine, even if the electronic counting machine breaks down, people can still vote, so one of the key issues you are looking for in a voting system is availability to the voter when it is time to vote. with an online voting system, there may be challenges with availability if, for example, there is some kind of denial of service attack that could occur during the voting period, particularly during the last phase where everyone has to leave everything for the last few minutes.
>> this would hit the united states to because constitutionally we are voting on one day. you can say ok, we can spread out the voting over longer period. if all of the voting is having on a single day, somebody can just run a denial and take it. >> that is partly true. some states do early voting and then an absentee ballot is done over a longer period of time but what is key here is there is a deadline, so in the event that a denial of service attacks caused a major disruption and it has happened in a time frame where there is no more time to solve that problem, there is no voting
sort of after election date, so the deadline factor is key. >> that is not even a voting problem, that is a plain internet problem, that the internet cannot be trusted on this, it is not 100% available. >> right. there is a lot of work being done to handle the problems that can arise, and even simple failures, we have seen failures of online voting registration systems that happened right before the deadline and cause some people not to be able to register to vote in time for the upcoming election, so timing is important, but it is also important to note that is most elections are run, they run in the united states anyway, they are run by local jurisdictions, and local jurisdictions are counties or townships or parishes, and those counties tend not to have great, big i.t. budgets with lots of funding for i.t. staff and really robust capabilities for avoiding the downside of the attacks that may be a major corporation even has challenges avoiding they are putting millions of dollars behind that, so that is another
-- we have to think about how elections are conducted. really the promise that any robust democracy makes to its citizens, to its electors as that it what provide them with justified confidence in the outcome, any voting system you use has to be able to demonstrate clearly to the loser and their supporters that they lost, and to do that, you need actual evidence. voters need to be able to see that their votes were captured the way that they meant for them to be and election officials need to be able to use that evidence to demonstrate and that both were counted correctly, so that is what we look for in any voting system. >> wow. >> that is a good baseline. >> right. it seems like it should be so easy -- we are voting for who is the best singer, who has the best variety act on television. are a lot of folk saying we ought to be able to have this? this is for either of the two of you. is there a lot of demand saying how come i cannot just vote on my phone?
>> at first there is the question -- we do everything else online, why would we not do this online, too? without getting to the last step of transmitting a voted ballot over the dangerous internet, but you could do things like register online, you can get ballots to someone who is remotely located, say military and overseas voters, who after additionally had a hard time getting to be able to vote in time, get their ballots back in time. if you can transmit a ballot to them instantly, you have cut off a big chunk of the time they need in order to get the problem solved, so there are many things we do online, but what most people do not think about until you sort of talk it through is that elections have special properties that other online transactions simply don't have. the anonymity property that votes are supposed to be
anonymous, separate from your identity, you have to authenticate that the voter is an eligible voter but then you separate that identity from their actual vote. that is a really challenging problem in auditing generally. >> regarding the young generation pushing for online voting, yes, usually the experience we have, or least we checked the statistics about who is using online voting, young people usually tend to use more
online voting. in the experience that we introduce online voting, where not talking about substituting completely any kind of voting with online or electronic voting. in this case talking about in france where they're using online voting for over -- after using two or three times, more than 50% of overseas voters are choosing internet voting, they can vote in person. currently the statistics -- [indiscernible] -- especially when you're talking about remote voting, remote voting can be online by electronic means. they can use postal voting. they prefer to move to internet voting. --
[indiscernible] >> so the internet would give more immediate feedback rather than sending a stamp and sending it off. people understand to an actual letter when they send it off, but he will have no idea what happens to their ballot. >> your mail ballots can often be trackable. one of my favorite stories demonstrates that we don't really know yet about who wants to use it and how the public uses it, and is there a measurable impact on turnout. i think there is still more research to be done. in a place in ontario where they decided to experiment and a pilot allowing online voting. they had a 300% increase in turnout in early voting, but zero turnout increase overall. what that meant was that people who were going to vote anyway tried out this method, but it
did not make more people vote. >> that is interesting. i'm going to turn to joe here. one of the things you helped with when we are reviewing the paper was, internet voting isn't just the casting of the vote. that was an important change to the paper we added in, there is the registration, there is the collection and processing of the votes. internet doesn't just have to be the clicking next to a name. you can look at all these different places in ways that we can improve the process. i was really glad for your input for that part of the paper.
i had first started to get interested in digital voting, electronic voting, or in the early 1990's, because we were writing about the third wave, newt gingrich joined in and they were doing books and writing together to say we can have a truer, freer democracy, more like the founding fathers wanted, where we can come together and issue our votes on home computers. they weren't thinking about phones back then. and help us find this better democracy. but that was 20 years ago. and it's coming together in some
places. what is the timeframe looking like here? >> i have got a few positive things to say, but a lot of what i'm going to say unfortunately is doom and gloom and very debbie downer, for lack of a better word. the vast majority of experts that work on voting security and voting technology would agree that somewhere in the 30 year to 40 year timeline is the point where we have the infrastructure that can support secure online voting. >> 30 years to 40 years, starting in the mid-1990's? >> no, sir, starting right now. >> oh, my goodness. >> there's very good reasons for that. make no mistake, we have to solve this kind of problem. the reason we have to do that is to the extent that we want to have remotely physically distributed representative democracy, there's going to be situations in which physical exchange of matter is impossible. say two colonies on mars. this may be a thing in the
future. there are places where exchanging physical matter to be the auditable record of the vote is going to be extremely challenging, if not impossible. you either have autonomous, separate democratic bodies or you have to have some way of doing this kind of thing securely. not only that, the positive externality of doing work on this is that to the extent you solve some of the challenging problems here, the core cyber security issues that we work on every day, that has a lot of benefit for other kinds of applications you can do on the internet. the one trick here is there are number of risks that are solvable, some are not. we can go through them real
quick. when we talk about internet voting, it is on uncontrolled platforms. if you're going to do some critical democratic process like voting online, you don't want to leave that up to the security of people's desktops, laptops, and phones. you have a lot of crap on your desktops, laptops, and phones. you may not even know the extent that you have that stuff on there. moreover the intelligence communities around the world have made a business lately of undermining the infrastructure of the internet in such a way that you don't know exactly what is happening with this stuff. the unsupervised nature of internet voting, and this is similar to the vote by mail, so one dirty secret from the security and private extra to work on this stuff the vote by, mail is an unfortunate legacy thing we can't get rid of. it has the property that, unfortunately it's very easy to coerce people that are voting in an unsupervised environment in a place where you don't have someone making sure the proper policies are in place so that someone cannot sort of force you to reveal your vote to them and things like that. people don't realize this but there's a great paper i can point you to that shows you before around 1900 with the adoption of the secret ballot in the u.s., election day was a payday for some people. you to get a couple months' pay for proving to someone how you voted. once the australian secret ballot, which is a government printed standard ballot cast in
secret, once that spread, voter participation dropped precipitously because you no longer could make a connection between how people cast votes and the person paying it. the election went the other way. it is not worth my while to actually buy these votes. >> i know the estonian system allows you to vote multiple times and only your last vote cast actually counts toward the election. i would think that the technology might help provide a more elegant solution for this. >> those are things that help. none of those are perfect. no one can take your government id card after they watched you vote and not let you have it back until the deadline.
there's a lot of layered techniques that adversaries can do. it makes it harder, but at the same time -- there are records of how people voted which is contrary to having anonymity, and they have an injured structure where everyone has a cryptographic key associated to your identity and used for a whole bunch of other things. it's almost embedded in how you interact with government. we do not have that, and it is very unlikely we will have that. >> if we had to have a national id card so we could all vote digitally, i think it would be a long time coming. >> that is true. a quick point i want to make, there are two other risks that are important to mention. one is the opportunity of
wholesalers and retail kind of attacks. paper balloting is no panacea in the sense that you can do a lot of things like ballot stuffing. i a lot of it ends up being retail which means you have to touch a lot of stuff, a lot of boxes, a lot of ballots in order to accomplish those kinds of attacks, whereas being a purely software-based thing, if you find one problem say a heartbleed, if you're recording all the encrypted traffic, these are serious things that any system that said it was secure was not secure the next day. the final thing, by having publicly routable in points, servers that are excepting votes online, you expose the probability that someone might be able to attack the stuff to anyone in the world compared to a more controlled type of system. the second you have some really attractive candidate that hackers really like, a second that happens in an internet balloting election, that person will win. i can bet you $100 right now that will happen. because they will find a way to subvert them in some way. >> especially in countries where it is winner take all, you can certainly imagine someone spending a million dollars is not a bad investment for a piece
of malicious software that would try to subvert the election. that would be small change, and i like that wholesale versus retail. but we know were going to need to do this. we cannot just be saying in 50 years or 100 years, and we are still filling out paper and still doing these touchscreen machines and worrying about hanging chads and the rest. kent, you are in cleanup here. >> one of the things we need to understand is that voting started very early in our republic where you would have to go to the courthouse and be sworn in by a judge. there was no real registration process at the time. from that you would then voice your choice to a panel of folks who were keeping the tally.
that was very useful because it did allow us to have outside observers see really what the vote was, and to have a very consistent vote. fast-forward to the 1990's were you start to see electronics come in to the voting process, voting machines that are used for casting as well as tabulating votes. the technology has sort of driven some of the processes of what we do today. those machines are very costly. we try to have elections together, federal, state, and local. we try to do that and established polling places where the equipment can be brought in and the like. today we are dealing with a very different world than we dealt with just 10 years ago.
iphone was not around. we didn't have the mobility that we have today that is driving the need and want to be able to vote from something other than those established polling places. the problem is that we are in a situation where technology is changing very quickly, but we're looking at a problem itself that does not lend itself to operating well in the generic internet environment that we have today.
identity is a real problem today. identifying somebody definitively is something that has to be there to support the one man, one vote aspects. efforts such as the national strategy of trusted identity in cyberspace are advancing this in a very positive way from an identity perspective. there are standards efforts in the ietf, working group around trying to figure out how to really provide real identity on the internet. >> the ietf? >> oh, sorry, the internet engineering task force. they have established most of the standards that we operate under today with the internet. the key here is that we are starting to see some of the building blocks of technology that will make the infrastructure possible. today we don't have an infrastructure that can successfully work well in guaranteeing electronic voting online. there's too many ways it can be circumvented and attacked. attacked at the server and the pc's where they are casting their vote. botnets that capture keystrokes and look for certain types of activities can really be modified very easily to use that targeting internet voting.
with that said, the reality of what we're seeing is technology is moving forward. we are evolving rather quickly in the last 10 years, and i don't expect that advancement to be reduced over the next 20. the focus that we need to have is to look at really what the requirements are for internet voting. they are different than e-commerce. as such, we need to address them specifically. we need to make sure there are real standards in place so that the folks -- the security experts reviewing the different parts of the infrastructure actually have the means to have a consistent view of what's occurring. today we have a lot of proprietary means for -- in the e-voting arena and we need to have this to be much more open and standardized so that we can see and evaluate the voting mechanisms for the security threats that could compromise the national elections. >> i feel like to some degree we are not all saying -- to some degree we have to fix the internet. the problem we've talked about is attacks that are inherent in the infrastructure that we have or the difficulty of identity, so it sounds like because the internet itself is pretty shaky,
that anything that has to be -- have the things jordi talked about, audit transparency, is going to be shaky. although i do wonder if some of what we tend to be thinking about, especially as americans, we tend to think about the big national elections held in november and held for hundreds of millions of people. it seems like there interesting case studies happening in other places that jordi's company is doing or jurisdictions that are much smaller. maybe for a citywide election or other areas. is that a good way to start building? >> i don't know, jordi, the want to respond to other things we talked about? how does this work when it's not a big national election for huge country, but building from the ground up? >> i think what is important -- one thing is i agree there are risks, security risks when we are introducing internet voting. the way to manage this is to provide the proper measures for managing these risks. is something done in national elections and it's something that is done with internet voting. there are countries that when they started to introduce
internet voting, they are introducing internet voting involving also academic and security experts that have the security requirements they need to implement things in a proper way. and then what are the security requirements that need to be fulfilled by any voting platform that needs to be put in place. they are starting not for the entire electoral vote but to a specific group of voters so they can start to pilot these and see the reaction of the people. if they see that things are stable and they can trust what is happening, and this involves security experts about how things are happening there.
but it is important, it seems sometimes we are continuing the risk of other voting channels. sometimes you can solve these risks him and you mentioned that in the case of estonia, norway and other countries using -- to be sure that they are real voters. it is important that they can continue to solve problems in other voting channels. >> how is norway using --
local, regional -- >> it is at a municipal level. 12 municipalities were using internet voting, and they are thinking about introducing it to other municipalities. they are allowed to vote multiple times and voters can also vote at polling stations. this vote is the vote that will be counted in the case that the voter voted multiple times. >> interesting. any other thoughts in this question about scale? >> i think the pilots are really important. you cannot see them naively as being a surefire way of getting to where you want to go. to the extent that we want to run things in elections that we
really care about, you have to run them in elections we don't care as much about. in the big one for sure. you can imagine mr. tony soprano looking at a $150 million bond for a landfill or something and saying i just spent a million dollars to throw this local election. there are some cases where you will see things like that being pretty serious. at the same time, you got to do it somewhere. for example, i live in tacoma park, which ran the first fully end-to-end auditable election in an actual government election, which is a really big learning opportunity in terms of making sure that people can use these things. the real challenge, and this is something i work on every day, making sure that putting a piece of paper in the ballot box is something people can understand. we have thousands of years of experience of doing stuff like
that, whereas cryptography, i can talk to you about a box with two -- whereas cryptography, i can talk to you about a box with two locks on it, but it's not going to give you the smart high school level, i can actually do the math on my own and get to the end. we need to get to where things are that simple where you can walk or the protocol yourself, being a smart high schooler, which is my lowest common denominator. >> they're very few public test opportunities before you are running an election with real votes in real time, you need to have the opportunity for hackers to have at that system. in cases where that has been allowed like the d.c. case in 2010 where they ran a test before using the system in a live election, and it was breached inside of 36 hours. it's a really interesting scenario, but they had to be authorized to do this. had that not been a white hat hacker, had it been somebody who
had malicious intent, they might have breached the system without letting anybody know and then had their way with the results. so it's really important there be these public testing opportunities and that the results of those public tests are made available so that we can learn from them. >> that was such a beautiful attack. >> let's talk about it real quickly. >> a team within 36 hours found a way, when you type in a file name and sometimes -- the idea was you upload a pdf of your ballot. it goes and finds your file and puts it in there. they found a way of getting crazy characters into the file name that basically got you complete control of the system and that automated a little programming language that allowed them to change every single ballot to a write in vote
for evil computer movies. like hal-9000 and things like that and then they modified the web form where you did this stuff to play the michigan fight song after you cast a ballot. so you had people saying -- hey, what is this patriotic, weird sounding music, it's the michigan fight song. >> worst of all is the elections director was a buckeye. >> we have been talking about the internet is so difficult to secure, but if that almost every level we have these vulnerabilities. this came up earlier. you're working on these untrusted machines on this untrusted network. that doesn't make it impossible, but it means you need to be going through each and every step on this untrusted stuff and say how can we get it trustworthy enough so that it's
as least as trustworthy as the paper of the stuff it's going to replace. that can become a very difficult spot, especially when the manufacturers of this gear aren't always as nice as d.c. was. they put it up online so it could get tested. when it got hacked, they did not try to go to prosecutors. they said maybe in fact it is not ready for prime time. >> part of the issue here is that we are trying to solve a problem in a very small scale and it has to operate in a very large scale. we have different types of elections. we have federal, state, and local, and each has its own specific needs and requirements. when you're looking at a microcosm of a local election, it's easy to see how electronic voting, online voting could potentially work. but it doesn't scale to a state
or large u.s. kind of national election. the problem really is that this needs to be a designed aspect instead of an emerging aspect. if we don't want to wait 30 years to get the internet as stable as it could be to support electronic voting online, then we need to start looking at how we can design the voting system to ride on top of that kind of infrastructure knowing the infrastructure itself is not as secure as we would want. with mobile computing, with internet of things and the other types of new advances we are seeing, 2008 the iphone, 2009 it came out. it's a very fast-moving world. we are going to have to have a means to secure the voting needs on top of a potentially un-trusting environment. it's a different type of looking at the problem. if we can address the problem in that kind of fashion, then it
doesn't matter whether you doing it from your iwatch or from your computer at home, or if it is a voice recognition thing when you walk into a polling place or an absentee ballot from mars. >> i can't tell you how much kent calling this standardized stuff resonates with me because if you look at cryptography, you throw a bunch of ideas out there in a very open fashion. you get the best people in the world to bang away with it. it's a pretty good way to identify flaws that you may not have seen. >> jordi? >> i want to mention something. the way we are now focusing on
how to monitor this risk in internet voting, things are evolving and it's impossible to say that 20 years from now the internet will be completely secure. we will have new threats, so the idea of the verifiability is the same idea of the election. you cannot say i have botnets -- ballot box, and nobody can open this. it is something you cannot control. the idea that it is possible to verify what is happening in the voting process. the voter for instance can check that, at the end, the electronic vote is stored, protected in the server, really contains the voter intent so the results really represent the content of the vote. if you can't verify this in a way that you can have 100% sure
that nobody manipulated things, then you can react. if the voters see that it has been received by the server, may be it is a traditional way for casting a vote. it's a way to say i have no security problems now, but maybe in the future i hacker may find a way to bypass some security measure and manipulate my vote. but if i cannot detect the manipulation, then i cannot react. >> one thing i don't know if scytl does is the notion of future proofing. you want your vote to be private, not only now but for a long time in the future, to the extent that the lincoln figured out how we voted in the past or
smear our record of whatever they wanted to do with that information. some cryptographers have developed ways of creating protocol that basically say no matter what could happen in the future, your vote is safe at least up until we have quantum computers that can crack this stuff. that's the kind of thing i like to hear people worrying about because i worry about my vote in 15 years. >> everlasting privacy. >> this idea about cryptographic our rhythms that cannot be broken now, but maybe in the future. we have quantum computers, the worry is that somebody can decrypt the vote. this is something very and board it. one important requirement is that the encrypting processes preserving privacy. if someone is encrypting a vote, if they cannot correlate, using processes that can prevent
correlation, it doesn't matter if someone can decrypt it. in any case were working with algorithms. >> if someone does get your credit card, the most likely worst-case scenario is someone gets hold of your credit card and they use it and make fraudulent purchases, and that is bad. but it is solvable, and especially, we don't have to
worry about it. at most in the united states we would have to pay $50, and most of us don't even have to do that. there might be some trouble about getting a new card, but essentially it's not that bad a problem for you personally. i think we are used to that, saying it is risky but not such a risk that is going to scare us away from e-commerce right now. but this is not just someone getting your credit card and you might have to pay 50 bucks and do some things. you could get disenfranchised and it could change your vote. in some countries you could be killed if people could figure out afterwards how you voted. so the downsides of getting it wrong seem to be --
>> once fraud occurred in a vote, you can prosecute the perpetrator. you can fix the problem, but you can't change the ballot because you don't know how those votes actually occurred. that by itself would be a corrupting factor in an election. >> not just the privacy but the verifiability of the audit transparency. -- we talk in legal terms in court cases about evidence we talk about chain of custody of the evidence and how important that that is unbroken. it's important because you have to be able to rely on it for the various applications all the way through the process. having that property of evidence of the voters vote having been captured correctly, the way they intended it, and then that correct version, not some corrupted version eating what gets counted and then audited to demonstrate that the accounting part of it was correct, the
process is really key in things like the case you mentioned of someone getting hold of your card, someone used my account to rent a limo in arizona at some point, and i called the bank and said i haven't been in arizona for 20 years, maybe. so that wasn't me. they said no problem, we will make that right for you. with voting, you cast your vote maybe from remotely, you don't get to call up the election official at the county and say i voted for so and so, can you see i voted for candidate a? they should not be able to say yes i can see that you voted for candidate a.
next you voted democrat the last 10 times, this time you voted republican, something must have gone wrong. we will cut to the representative and then we will come back to audience question and answer. >> am i on? >> yes sir. >> first of all, it's great to be with you today and thank you for the invitation to join you remotely. i especially want to thank david wilson and the atlantic council for making this possible. i would rather be with you there in person. somehow fitting i guess in this discussion about the promise of digital happening over the before i begin, let me just say
i have great interest in increasing voter participation in our democracy and i always look for innovative ways to do that. i have a long history of being involved with the electoral process with the legislature. i served for three terms and have a great interest in election reform in making voting easier. we have a number of horror stories in rhode island where we had people waiting in line for hours and hours to vote, and sometimes we actually had the oldest voting machines in the country. sometimes we had to get on our hands and knees to read the
bottom of the ballots. not to mention the fact that being disabled myself, i was never really able to vote on my own independently going into the machine. i had to have someone with me and assist me. it wasn't until i became secretary of state and i actually overhauled the states entire system that there was accessible voting for people with disabilities. i actually chaired the special legislative commission looking at alternative voting technologies in the legislature and implemented the findings of that report when i was elected secretary of state. but i'm excited about the future
and about technology. we have to proceed of course with caution as we work to ensure the integrity of the elections process. so again, i really am enjoying -- this is an issue that means a lot to me personally. it really is a marriage of two passions of mine, going back to 1994 when i became secretary of state in rhode island, i really had the impurity to confront huge challenges of electing a transparent government. i've seen firsthand those areas where you can have trust and faith in government. also many very passionate about the accessibility of the voting process which is really so fundamental to our democracy. even voting has incredible promise, specially to the population of disabled voters
who require diversity of interfaces to the voting process. it's what originally interested me in the field but my time in congress has given me a complementary perspective on the topic. so in 2008, i founded the congressional cyber security caucus with my friend mike mccall because i was concerned that congress was paying far too little attention to the potential of the cyber intrusions and could cause great harm to our country. chief among my concerns is that critical infrastructure could be vulnerable in this new domain. of course our voting infrastructure is central to our
country's existence as a democracy, and just like any other sector, there are vulnerabilities in expanding the use of this technology. our electoral system comprises two fundamental principles. each person should be entitled to cast one and only one vote and then his or her ballot should be kept secret. unfortunately, because these principles can clash with our desire that elections be fair, that a voter should have confidence that his or her vote is counted. the traditional system does the next one job of ensuring anonymity and there are very few instances of actual voter fraud or intimidation. hundreds of thousands of ballots are spoiled each election cycle
preventing voters from being heard. additionally, the ballots and cells are vulnerable to tampering. to reduce the risk we rely on distributing e-voting systems have the same goals but must achieve them in very different ways. for instance, in traditional systems, double voting is prevented by retiring that a citizen vote only in his or her precinct, preventing double voting remotely while retaining anonymity as winter prom because the scale can be orders of magnitude larger.
challenges of scale manifest themselves in other ways, including the ability of a single bad actor to compromise multiple services. it turns out that cryptographic systems allow one to do all sorts of counterintuitive things. but here is the rub, channel communication between our brilliant photographers and policymakers, into in verifiability, it allows archers to confirm that ballots have been counted correctly without relying on the integrity of those accounts. policymakers understand than a matter how corrupt elections are, if a camper with results, it will be noticed.
but they definitely do not understand how it is implemented in different systems. in fact, it is often viewed as borderline magical. once the system uses a mathematical property for security and one relies on the integrity of election officials, it's not necessarily going to be evident how it will work without the concerted effort to educate politicians. there's a real risk that they will come to view it as different versions of the same product. the security of the competitors may be wildly different. it's difficult to overemphasize
at this point, so let me put it another way. politicians are used to shades of gray, and that is a good thing. policymakers need to compromise. but the ability to see ambiguity can be dangerous when confronted with the facts that can be lumped into theories, and it is imperative that the properties that we would like to see in a system such as the into in verifiability, or policymakers are not the only fallible humans involved.
even a cryptographically sound system relies on people to code it, deploy it, and people to maintain it. a coding error might cause denial of service attacks that halt an election. it could allow an adversary to steal voting potential's and cast a ballot during routine maintenance. a database could be deleted resulting in a huge loss of voter privacy. these vulnerabilities are real and the haldeman group analysis of estonia's voting system showed problems across all three of these phases. so it is important to realize that our present voting system has numerous points of failure.
but the complexity of e-voting against sets it apart. being a checker or ballot clerk in a traditional system require specialized skills. being an administrator requires significant training and experience. experienced cyber security professionals right now are in short supply. it's something i've been talking about for years, we don't enough people going into these fields. we could change that in a number of ways, starting at the high school level, to encourage young people to go into science, technology, engineering, and mathematics. especially in the field of cyber security.
cyber is a relatively new domain that is still ramping up, cyber training capacity, but part of it is also tied to the inherent difference between cyberspace and me space, you might say. defending against an adversary has always been difficult. an attacker needs to find only a single point of getting in while the defendant must defend against all possible breaches. is exponentially more challenging and cyberspace. it's just as easy to attack someone across the planet as it is to attack someone across the room. so the attack space is much larger.
it's almost as easy to attack everyone's vulnerability as it is to attack one entity with vulnerability. as a result, attack is more lucrative, which draws off important talent even as more defendants are needed. government agencies have been particularly hard hit. part of this is due to the problem that i highlighted and part of it -- we can also blame the lack of coordination with the government in the corresponding duplication of effort. the problem of homeland security -- it was patched almost immediately. however, because it had to ask other agencies to scan their networks for the flaw, it took days in which hackers were robbed gating in the wild.
these are challenges were propagating in the wild. these are challenges that will have to be addressed if this is to be deployed in the united states. it would allow for top level budgetary review of a cyber budget. i have strongly advocated for increased funding for security research to help grow our academic infrastructure to meet demand. i've offered alternative practices that allow programmers with nontraditional educational background the chance to protect their country. i think we can make use of their talents and we should. all congress continues to
deliberate, i believe it will help raise the standards across critical infrastructure domains that a company like target that could be hacked through its vendors shows exactly why we need to raise the bar. let me just say before i close, i hope you allow me a brief digression into hindsight security. the government talks about -- the focus is always on the service side. we can maintain the integrity, the question should be can we maintain the integrity of the ballots cast, but if the ballots cast is compromised, relying on a voters smartphone to honestly represent his or her intention
is simply naive with malware as prevalent as it is. it cannot be limited to the edge of the government network. so to say that e-voting is a challenging prospect is really an understatement, but just as there are many security concerns in the cryptosystems with the humans that run them and the devices, there are many potential benefits as well. so i reject the notion that e-voting is a solution in search of a problem, just as i reject the notion that it is ready today.
changing something as essential to our identity as the way we choose our leaders ought to be a deliberative process, and an inclusive one, and i hope i have impressed upon you the importance of engaging with policymakers about eve voting systems and as a corollary, i hope you will join me in advocating for better training of cyber security professionals to defend our country from harm and better advised our nation's policymakers at the same time. with that, i thank you for the work you are all doing, thanks for the opportunity to weigh in on this issue. i thank you for allowing me to join you remotely. i would rather be there in
person but this is an appropriate way to communicate with you today as well. i look forward to working with you to address these challenges. i'm a big fan of technology myself, i use it every day as we all do. but not without risk and challenges. so thank you very much, and enjoy your conference. [applause] >> thank you, congressman. that was a wonderful description of the balances that we are talking about here, and the congressman is from my home district in rhode island. he covered a lot of things we have not even talked about here, about waiting lines and the amount of convenience, about this able than others that might have difficulty getting to the
polls. he covered a lot of interesting things. i did disagree with him on that there are not enough cyber professionals. we do have plenty of cyber professionals, they are not just all working on the correct side. before we start taking questions, any additional thoughts? >> i thought it was great that he raised the issue of how policymakers are involved and need to be involved and at the same time, it's really difficult. expecting them to have a deep and broad understanding of something like cryptography, which the very word makes my eyes glaze over, i'm going to go ahead and say that. it's really very difficult. i think that finding the balance, lawmakers do make compromises.
they weigh risks and potential benefits. it's hard to really even understand what the risks are, and that makes it a little more challenging. and then sometimes policy will get made that may not be taking everything into consideration, just because it is so complicated. he did weigh in on the framework for cyber security and urged that voting in elections be considered part of critical infrastructure. the other thing he mentioned about enough cyber security administrators, how do you compensate them enough to work at a small elections office and accounting where it it's only part time of the work that they do? >> most of my job is translation of policy makers, but also explaining how and why technology impacts their life. one of the things he mentioned
we did not talk about much at all is the promise for accessible, independent interaction with the system spirit a lot of people disabilities have to use very specialized equipment to allow them to interact in digital online forums. they often get used to the one thing they know how to use and how to navigate using a head stick for people who are advanced water pleadings, or certain kinds of screen readers. oregon has something called an online ballot marking system. you can interact via a normal computer. you can use all your own accessible technology. that has a lot of rom us and we want to see as many involved with that.
>> we really do have to look at this as a problem itself, not trying to see it together. >> one important thing is, he was talking about the importance of the security of the infrastructure. not only on internet voting, anything -- a lot of information related to the election is managed by computers. and using i.t. on the electoral process should also be considered and other processes, not just internet voting.
the hacker is going to use it for something, he will try this first in stead of trying to -- it is important that it moves to other parts as well. as for questions, i have 1, 2, and 3. the microphone will be coming to you. >> thank you. i've heard a lot, which is great. being the first country that had national elections online.
there have been several questions about the militant so on. the point i want to emphasize, the word that hurts here is trust. we estonians are used to every interaction with the government for the internet. the government has really tried to make the systems as reliable as possible. people have expect haitians towards the government provide different services, and the online vote is natural for us. >> we've had several expert teams come to a study and assess that. for the tech geeks, the online
voting, it is open. i have no idea what to do with that. i am sure that they can join everything. i basic question is about the trust. if we do have the trust towards governments, and we put that into the context of the united states, any kind of system is inherently not trusted. is there any possibility that also here this technical solutions could have more transparency? quickly will pick you point as we feel all -- as we eve all. the internet has some core, not
trusted aspects to it. there is a distrust of our government in the united states. there has been a combination of both parts, trust in both areas. it sounds like you have that in estonia. you have much more -- you have some foundational pieces that are solving the problems. like your national id card. that provides an identity that we don't have here in the united states. we need to get some of these building blocks in place. trying to move security down below the operating systems so that we can solve the problem with a trusted platform. that would take years for those platforms to be throughout the home and consumer markets. >> i was recently in particular.
some of the smaller countries think that there at a this advantage. discerning that shown that it will allow you to be much more agile, much more responsive to the numerous passion of her technologies that come out. >> it is one election jurisdiction, not 7000. >> i like to say that trust, for prosperity. to the extent that these systems aim to, but it's hard to compare coca-cola to an increase, this is the correct thing, the valid, you know, the data structure, that is an extremely important part.
it's crucial for verification aspect. next tesla had one of their cars there. that is a different relationship between manufacturers. >> let me congratulate you. ask the panel. the issue that strikes me is the insecure and for structure, hardware and software, we can over to rely upon it. we have a convergence of activities. they are trying to look at international trade and what we do. it is virtually the same type of concerns expressed to.
national security council staff is meeting up on transportation safety, administration. that is over a vehicle to vehicle proposals, because you know him to -- because security is not filled in. this could play a useful role in calling out for a heavy investment, internationally possibly, specifically in the united states is problem, to help us, to give a little plug to intel. make the investment across the board that speeds the introduction of safe software systems. without fact, none of the systems are trustworthy. we will not be able to put a layer on top that will ever get away from the invented threat that reads the key to your encryption. it is an impossible task. mckenzie put out in june history
recommendation. it is making its way around courtrooms. we are the thinking about endorsing it. thank you. >> first, i think that government and to help speed this along, the trustworthiness. it has been a key question here. are there other things that governments can be doing to help get us to this place, to shorten this 30 years to 40 years? >> for example, the gentlemen raise the question of the national transportation security, there are proposals for vehicle to vehicle
communication. for example, if you are hearing too far off the road, and there is a radio broadcast that says, hey, man, you are running off the road. people care about the privacy of their location. that is something that if it is done in the open, then people like we are seeing nonprofits with heats on staff. people like can say, i don't think you need a vin number to do this. it is starting to happen in the hacker community.
they have developed this effort called "i am the calvary." these are efforts -- the hacker community is saying that we often break stuff, but we have to step up. there is no calvary coming to save us. we have a responsibility to help save the world, so to speak. it is berry ambitious. i think you will see a lot of wonderful things. to build things, while we break things. >> i think the government is doing some things, with respect to the national institute for standards and technology. they are working on voting technology. they have done research reports which do help on pack what the
issues are. they described that in ways for anyone can reagan understand. they have written reports that are geared towards someone who works in an election office. as of yet, we have not developed standards for an internet voting system. we are a little ways from that. there are some nongovernmental efforts. what specifications might be needed? that is a little ways off. i think what -- joe said something that is important, getting all the stakeholders the opportunity to provide input. that is why i appreciate something like cyber security.
>> one thing that struck me in the conversations that i have had over the past week was to have a machine involved in voting, or technology involved in voting, there is a certification process. that hurts us even further, because when you want to update it for security reasons, you might have to recertify it. it is one of those things -- what we can do to help security a long might the ways to speed that process up so that we can get the more secure technologies. >> you can tell at the backend if it worked right during the election to help you eliminate some of those certifications. it requires the ability to audit.
>> it is not focusing on the trust of the government. it is to address the critics that things are happening in the proper way. we are talking about specific hardware. it should be a combination of things. we will make the security more difficult to happen. in case this protection fails, it is possible that this happens. it should be a combination of both. since maybe there are people who trust the computer or they have been certified by an authority -- they want to jack any time
during the voting process. we need to combine both things. the certification will in short that security practice has been taken into account when this computer has been developed. the first responsibility is to the voting process. >> we are going to do ron, and it will come over to this site. >> thank you. network security analyst with the carnegie mellon university. with your impressive knowledge, it may make me change my mind about congress. [laughter] i am a new englander,
originally. you stole my thunder a little bit, joe. the difference between trust and trustworthiness. we don't want the government to be what is trustworthy, but the systems to be trustworthy. just yesterday at a secured conference here in washington, d.c., general alexander, the head of nsa, said the current architecture of the internet is indefensible. what we need for trustworthiness is, number one, not mathematical proofs that ballots can be verified. what we need is transparent systems that all voters can understand. the main way we know to do that is with durable paper records. they have the additional benefit of allowing the voters intent to be re-examined and provide
meaningful recounts and audits. that is my question. isn't the trustworthiness in the systems what matters? the supervised voting, which is an insurmountable problem. >> i think you are right on the transparency and what voters can understand. i would say you are the point technology, interacting with voters all the time. how is that trustworthiness in the system? do they come out of it and feel that it was a great experience? >> it is more or less what i said before. the majority of voter trust is with the system. we have people who do not trust the systems.
people need to say that it does not matter. it is important that the system can be audited. if we are talking about unsupervised voting, it can work. when we are talking about remote voting, which would be the solution, for instance, maybe the voter can print the paper at home, but what will happen with this paper. is it enough or not? it is an important part of using this process to understand what is happening inside the voting process, when we are using only a computer. >> some of the phrases we talked about earlier, for those involved in security, we see
that people have a ton of confidence in the internet. if they only knew what we knew. >> i will throw another blog in your ear. this. that was put forth, a good friend of ours, a standards guy. they have a the recalled software independence. an undetectable change in the outcome. the way you do that is that you do have some sort of durable, physical media that the voter can verify and recount later. the point being that if you
don't have something to audit, recount, independent from the software, you may be in a world of hurt. we worked on the notion of statistical recount, wrist limiting audits. the whole point being if you compare a subset of the ballots with the data structures, and you don't find enough errors that disagree speaking that would show you that the outcome would change if you actually recounted it, then you don't have to do a recount. you know there is no error that would have been possible. californians change their law recently -- you can do the traditional way of certifying the machine on the front or you can skip all that.
you can do one of these audits that show that no one else would have won. the trick is what happens if you find errors. then you have a recount. >> we know this guy. >> sri international. the point of internet voting is to make it easier for voters to cast their votes in a way that gets counted accurately. the next generation is the cryptographic voting systems. two recent studies that have come out that cost some concern. one showed that voters could not
figure out how to do the verification with three of the most commonly used systems. it was too complicated for them to understand how. in another study, which is about to be released, even if they can figure out how, they are not motivated. they do not understand why. my question is, how do we get to systems that are -- have the desired capability, but also offer the voter what they need. another piece of this is the notion of being able to cast ballots -- voters do not understand why they should want to use the technology. if the voters don't understand why to use it, how do we get to the cyber-human parts of the voting issue? >> i will be really quick. if we can describe some of these
cryptographic ideas in normal terms -- i can teach you the high level notion of what that is -- we need to be able to do things like that that don't cover only little components, but talk about the role of the technology in accomplishing the integrity we need. >> they want to go in and make their decision, push the button, and they are done. the vote is counted. that is the extent. that is the challenge we have to get over. we have to make sure that we have means that allow for a system that helps them do that in a versatile way.
>> in this project, the voters verify that their selections have been made. one of the problems that we have in this project is how to balance the verifiability and the usability. most people don't care about this. this is for the people who do not trust the system. the weight is, how can we introduce this in a way so that the system can distinguish between somebody who is going to verify and somebody who makes any kind of trick. so, the problem is how can we
provide this as an option, but does not jeopardize the voting process for the voters. at the same time, to make verification efficient. we put this as on option in some cases. in a way that is not -- the codes are arty sent by the voters. what usually happens in norway -- 70% of the voters check their return codes. it has not been based on a real
study. it was based on a problem they had when they were trying to print some voting cards. the people that called made a stipulation that means that 70% of the people who received wrong voting cards detect the error. >> the more data we have for the studies, the better. >> the norwegian system has not been studied here in the united states. it is a system since 2011, and also it has been shown in different conferences. our experience is that -- it is
important to design a verification process that is easy for the voters. it is also important that the critics understand. if the voters understand, it is fine for them. the important part is that the system can make a distinguishing decision. >> the voters do not always care what kind of voting system they will face. what is more compelling to them is who they want to vote for and whether this election is important. once they get there, i think it is the responsibility of the stakeholders to care about elections. we need to make sure that it is
available, function, and that it will work. you said something that caught my attention -- you hear about all these breaches. you wonder sometimes where the idea of sending a something as votes over the internet -- how did that get to be a good idea? i think that we have this natural inclination and can do spirit. we have come to admire when people make light of challenges and obstacles or minimize them. that is because if they are less daunting, we can do this. we can overcome it. we can apply ourselves. i think that is one of the reasons there is voting in the country today. the unfortunate part of it is if there are shades of bad, it is the worst of the worst. the ballot is being sent in an
unencrypted e-mail attachment to election offices. i told somebody about this one time. somebody who was doing security consulting for large firms. his eyes got large and he wanted to cover his ears and not hear what i was saying. it is true. i think there is a lot of bridging that needs to happen for people to understand what the key challenges are, what we need, and work on those kinds of research problems. >> i think it is they can do front your spirit of rhode island that is carrying us through. [laughter] >> final round of comments here. joe said it would take 30 years to 40 years. that is kind of a long time. the digital natives using this now will be in their 40's or
50's. that means i will be in my yng 60's. [laughter] that is a long way. i am curious if the other panelist agreed with that timeframe. maybe, if there is one kind of thing that we can do, that one thing, what would that be? >> i think that may be a little long because of the whole process on how fast technology is advancing, but there does need to be an effort, a focused effort, on trying to deal with the problems today. we have to do a better job. someone mentioned earlier that identity is a big one. there are a reasonable amount of things that you can do to provide a more secure environment, no you're talking with.
you still have those underlying issues that the devices to be secure. i don't think it would take white that long. if we want to really push this, we need to look at the concerted effort to design a national environment that standards-based, that's going to be able to scale. if we are solving a local issue, find food we can do that without a lot of work in 30 years or 40 years. if we are solving a national issue, we have a real problems that need to be addressed, real design considerations. we need to discern whether or not we are going to do this on top of a trusted or on trusted environment. those decisions need to be made. intel we can get to a national focus, we were not solve the
problem. >> you agree with this estimate of 30 years or 40 years? >> if you talk to folks who evaluate these kinds of proposals, protocol stacks for the next generation internet -- what might replace what we have now -- their most optimistic projection to have a coherent internet is 40 years. this is something that no one knows anything about. right now, you have folks doing adversarial routing attacks. suddenly a route is rerouted through kazakhstan for an hour. what the heck. there are things like that i don't think you can solve until
we have a fully deployed piecemeal path to the internet. >> i am going to shout out to missouri. we are also a show me people. i think we need to ask what is the floor beneath which we are not willing to sink. i think we owe ourselves systems that do produce the evidence you can use to know that was the correct outcome. i think joe is on the money with the timeframe. that is my take. >> i don't think we need to wait 30 years or 40 years.
we manage this risk in a way that is acceptable. ultimately there are people thinking about how to use technology in the elections. risks are evolving. we have different parties like my company. to see if they are acceptable to use for an election only for certain groups. we need to move. we cannot wait. if we wait we will find other risks in the future. i think we have the technology
now for introducing internet voting. if we want to limit the risk we can think about using certain people. risks are also present. i think it is not the solution. >> some things we might be able to do to shorten that is to let these elections, part where we can get our heads around this and figure out how to use it. we can lay the sidewalks but we really won't know how people want to use this technology. my concern is we can imagine how long it is going to take to solve these problems. we are on this slope. unfortunately the attackers are on this slope. my concern is that hackers might
get much better than the defenders. this is what mcafee has been trying to get that. if we want to unlock these gains, we have got to start getting security right. to us that is the important message. it is not just talking about the downside and the risk but also the benefits we can unlock if we get this right. i want to thank mcafee and my panelists. i want to thank paul and robbie, who are doing our tweets. the volunteers are interns. our next event, national cyber security awareness month will be here to talk about updates, so
we will have tom cornman from the house committee on intelligence. we will talk about risk. on the fifth of november -- i am sorry. on the fourth of november we will have an event on nato talking about the new cyber strategy. that is going to be with the assistant secretary-general, so the top nato official probably won't be here on the fourth of november. keep your eyes open for the next paper we are doing with mcafee. one of these places if we don't get security right we are not going to be able to unlock the amazing potential we can find.
on newsmakers, the campaign director for the senate majority responsiveenter for politics has spent more than any other the cycle. 30 point $.5 million. about how thes pack is spending its money. newsmakers is at 10:00 and 7:00 eastern. >> three members of congress talk about the technology legislation. >> we passed a law that makes it possible for the major give back some of their spectrum that they have had.
because the fcc the authority to repackage spectrum and reallocated. the low-power television .ndustry is granted licenses they are subject to availability of spectrum and the particular marketplace. i am concerned about an improper kill switch on a phone. what this bill says is that you certainly can ask your carrier to cut your phone off. you can ask that the phone be cut off. or, if you are a government agency in order to do that -- >> that is very bad behavior, fraudulent. getting information from the